[Pkg-libvirt-maintainers] Bug#1081396: libvirt-daemon: AppArmor support for QEMU domains is (mostly silently) disabled unless libvirt-daemon-driver-lxc is installed

Andrea Bolognani eof at kiyuko.org
Wed Sep 11 19:06:18 BST 2024


Control: severity -1 important

On Wed, Sep 11, 2024 at 02:21:07PM +0200, intrigeri wrote:
> If libvirt-daemon-driver-lxc is not installed, libvirtd logs this on startup:
> 
>   libvirtd[2085]: internal error: template '/etc/apparmor.d/libvirt/TEMPLATE.lxc' does not exist
> 
> … and then apparently the logic to generate AppArmor profiles for QEMU VMs and
> enforce them is disabled. That was not obvious to me: I thought "OK, I don't
> have the LXC driver installed, so sure that file is missing, it's fine" and did
> not guess this would break a previously working security feature.

Thanks for the report.

This is definitely *not* expected and *not* acceptable. AppArmor
confinement for QEMU domains should work regardless of whether or not
an unrelated hypervisor driver is installed.

I'll look into it. I'm fairly sure it will require an upstream fix.

> I'm under the impression that this breakage happened recently, because just
> a few weeks ago I had AppArmor denials break stuff for 1 of my VMs, so it must
> have been working back then.

There was a pretty massive package restructuring landing recently in
unstable with 10.7.0-1, after having marinated for some time in
experimental. So that would be the cause.

-- 
Andrea Bolognani <eof at kiyuko.org>
Resistance is futile, you will be garbage collected.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20240911/b5445957/attachment.sig>


More information about the Pkg-libvirt-maintainers mailing list